Skip to content

Security Policy updates#337

Merged
gyro2009 merged 3 commits into
mainfrom
gyro2009/sec-pols-update
Jul 13, 2026
Merged

Security Policy updates#337
gyro2009 merged 3 commits into
mainfrom
gyro2009/sec-pols-update

Conversation

@gyro2009

@gyro2009 gyro2009 commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

This pull request introduces important improvements to dependency management policy and pipeline security practices. The main changes include the addition of a comprehensive dependency management policy document, updates to pipeline security requirements to recommend Snyk scanning, and the introduction of specific dependency overrides for enhanced security.

Dependency Management Policy:

  • Added a new ManagingDependencies.md document outlining the organization's policy for managing dependencies, including required controls, tooling guidance (Snyk and Dependabot), vulnerability prioritization, and audit requirements.

Pipeline Security Practices:

  • Updated Baseline_Policy.md to:
    • Strongly recommend the implementation of the UKHO Snyk scan task for dependency checking, SAST, IaC scanning, and container scanning, replacing previous tool recommendations.
    • Clarify DAST guidance, specifying Invicti as the tool and the escalation route for pipeline-based testing.

Dependency Security Overrides:

  • Updated package.json to add explicit overrides for @pnpm/npm-conf and brace-expansion dependencies, ensuring specific versions are used to address potential vulnerabilities or compatibility issues.

@snyk-io-eu

snyk-io-eu Bot commented Jul 13, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@LRileyUKHO LRileyUKHO left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed in team chat, as long as we offer good examples in subsequent documentation i'm happy.

@gyro2009
gyro2009 merged commit 3d4113d into main Jul 13, 2026
3 of 4 checks passed
@gyro2009
gyro2009 deleted the gyro2009/sec-pols-update branch July 13, 2026 16:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants